TM1 Forum

I need to define an extensive security scheme on a TM1 model that will mainly be accessed through Cognos Report Studio and Cognos Analysis Studio. The TM1 version used is 9.5.1 and the Cognos BI version used is 8.4.

I found that when I apply element security for some groups (restricting access to just a part of the dimension hierarchy where the top level element is not available), the end users in these security groups are unable to browse the cubes using this dimension in Cognos Analysis Studio. This is because Cognos BI is doing a hierarchy traversal to navigate through a dimension and this traversal is broken when the user does not have access to a node in this traversal (like the top level element).

The only way I can think of now to get around this problem is to apply Cell Security instead of Element Security, as this allows the end users to traverse the dimension hierarchy, while access to certain data points can still be restricted.
Is there anyone else on this forum who dealt with this issue and found other ways to get around this problem?

TIA, Michel

This sounds very similar, identical in fact to issues encountered in EV when using element security. Also there where the hierarchy is being traversed with MDX to build the metadata map view browsing breaks for users who do not have access to a node in the traverse.

The solution for EV is to ensure that the meta data is cached BEFORE the user tries to access the view. This is achieved by setting the "preload" setting for the database (cube) to true and making sure the EV service is restarted after any change to dimensions in TM1.

Well that's how you fix the same issue in EV. Just not sure if Cog BI has the same concept of pre-caching meta data for a FM package or whether this is always executed at run-time using the credentials of the user. If it's the later I don't think there is a solution (other than the one you mentioned of abandoning element security.)

Hi Lotsa,

I read the recent technote on this issue for EV, but sofar I haven't found anything similar to the preload option in Framework Manager.
I'm still hoping to hear from someone that I missed an option

Michel

Hi,

We also do reporting on Cognos 8 BI studios that run on top of TM1 9.5.1 cubes.
We also have data level security requirements on 3 or 4 dimensions of the cubes, where the user is given access to multiple profiles, where a profile is a combinations of elements in those dimensions with the option to use wildcards in profile definitions.
Applying cell security on the cube or applying element security on each of those dimensions does not solve the problem and does not make the cube properly usable in Cognos studios.
We have created a completely seperate dimension which we called security dimension, which has elements as concatenations of possible leaf level element combinations in all of those security related dimensions.
Then we created user consolidations (as we have seperate security group for each user as per our data security requirement) for each user that is the parent of those combinations that the user is allowed to see data for.
We also created a consolidation element which is the parent of all leaf level combinations in this dimension.
Then we applied element security in this security dimension in a way that restricted users will only have access to the user consolidation that is specific to that user, and unrestricted users will only have access to the consolidation element that is the parent of all leaf level elements in that dimension.
This achieves the data security requirement so that all users can see all hierarchies in all dimensions, even for those dimensions that are related to data security. But they do see data only for those cells that they are given access as the data that they see will be filtered by the security dimension, where they will have access to see only one element (and BI studios will use that element by default from that dimension).

Hope this helps.

Regards,